[Pulp-dev] Removing MD5 and SHA-1 as default available checksums in 3.11

Brian Bouterse bmbouter at redhat.com
Fri Feb 12 20:13:00 UTC 2021 

tl;dr With pulpcore 3.11, the plan is to remove MD5 and SHA-1 from the list
of default available checksums.  RPM and Migration plugin users will need
to add this back in at 3.11 upgrade time for your systems to continue
working. Please give on-list feedback on this change.

## Background

Pulp has the ALLOWED_CONTENT_CHECKSUMS setting [0] which, by default,
currently includes md5, sha-1, sha-224, sha-256, sha-384, and sha-512. Pulp
code is restricted to only using hashers from this list. This feature gives
admins the ability to prohibit hashers they do not trust. Pulp uses these
checksums for package integrity verification purposes when syncing and
publishing content.

## Motivation

We need to make Pulp secure by default. MD5 is known to be insecure, and
therefore it is unsafe for Pulp to allow its use for calculating package
integrity by default. SHA-1 is widely believed to be insecure, or will be
soon, and should not be allowed by default for the same reason.

## Proposal

Pulpcore 3.11 would remove md5 and sha-1 from the default list of allowed
checksums, leaving sha-224..sha-512. Specifically this change is occuring
in the `ALLOWED_CONTENT_CHECKSUMS` setting [0]. This is only a change to
the default settings; any specific system can be configured as desired.
Nothing is "being taken away".

## Required User Action with 3.11

We believe both RPM plugin users and Migration plugin users will be
impacted by this and mostly from the SHA-1 removal. SHA-1 is still used on
a variety of CDNs including Red Hat's. Also as data is migrated from Pulp2
systems, this also likely uses SHA-1 and MD5 as the migration plugin runs.

If users are using the defaults for `ALLOWED_CONTENT_CHECKSUMS` and want to
continue using SHA-1, they will need to update `ALLOWED_CONTENT_CHECKSUMS`
in their settings file. Alternatively, users will need to run
`pulpcore-manager handle-artifact-checksums` after upgrade to update any
existing artifacts after upgrading.

## Why not automate this?

We do not take manual user action at upgrade time lightly. However, this is
a security change, and we believe we need each Pulp system to opt-in for
themselves.

[0]:
https://docs.pulpproject.org/pulpcore/settings.html#allowed-content-checksums

Thanks!
The Pulpcore Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20210212/7e7f0aa8/attachment.htm>

More information about the Pulp-dev mailing list